Author: coheigea
Date: Thu Oct 24 09:41:48 2019
New Revision: 1868861
URL: http://svn.apache.org/viewvc?rev=1868861&view=rev
Log:
Disallow external DTDs
Modified:
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/XMLUtils.java
Modified:
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/XMLUtils.java
URL:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/XMLUtils.java?rev=1868861&r1=1868860&r2=1868861&view=diff
==============================================================================
---
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/XMLUtils.java
(original)
+++
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/XMLUtils.java
Thu Oct 24 09:41:48 2019
@@ -138,8 +138,16 @@ public final class XMLUtils {
throws TransformerException {
DOMSource source = new DOMSource(element);
StreamResult result = new StreamResult(out);
+
TransformerFactory transFactory = TransformerFactory.newInstance();
transFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ try {
+ transFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ transFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET,
"");
+ } catch (IllegalArgumentException ex) { //NOPMD
+ // ignore
+ }
+
Transformer transformer = transFactory.newTransformer();
transformer.transform(source, result);
}
